Michigan wardrivers await sentencing

'This has messed up my entire life,' laments wireless felon

In what prosecutors say is likely the first criminal conviction for wardriving in the US, a Michigan man plead guilty Wednesday to a federal misdemeanor for using the Internet through an open Wi-Fi access point at a Lowe's home improvement store in suburban Detroit.

Paul Timmins, 23, pleaded guilty to a single count of unauthorized access to a protected computer. He was cleared of more serious charges of participating in a scheme organized by his roommate and another man to later use the wireless network to hack into Lowe's computers and siphon credit card numbers.

Timmins, who works as a network engineer, and his then-roommate Adam Botbyl, now 21, initially stumbled across the unsecured wireless network at the Southfield, Michigan Lowe's in the spring of 2003, while driving around with laptop computers looking for wireless networks - the geek sport of "wardriving".

Timmins immediately used the network to check his email, not knowing that it wasn't intended for public access, he claimed in an a telephone interview with SecurityFocus on Thursday. Then when he tried to surf the Web, and found himself connected to a Lowe's corporate portal instead, he realized it was a private corporate network, and he disconnected, he says.

"Was it in violation of the law?" Timmins said. "Technically, yes... Did Adam seeing it help him decide to hack Lowe's? Definitely. But it's not like I said, 'Here's a good place to hack,' or anything. Had he not seen me do that, he would probably have chosen a different retail store."

Botbyl noted the network, and six months later returned with his friend Brian Salcedo, now 21, a young hacker on the last month of a three-year probation term from a juvenile computer crime conviction. From the parking lot of the Southfield Lowe's, Salcedo and Botbyl used the wireless network to route through the company's corporate data center in North Carolina and connect to the local networks at stores in Kansas, North Carolina, Kentucky, South Dakota, Florida, and two stores in California.

At two of the stores - in Long Beach, California and Gainseville, Florida - Botbyl and Salcedo modified a proprietary piece of software called "tcpcredit" that Lowe's uses to process credit card transactions, building in a virtual wiretap that would store customer's credit card numbers where the hackers could retrieve them later.

Prison terms

At some point, Lowe's network administrators and security personnel detected and began monitoring the intrusions, and called in the FBI. In November, a Bureau surveillance team staked out the Southfield Lowe's parking lot, and spotted a white Pontiac Grand Prix with suspicious antennas and two young men sitting inside, one of them typing on a laptop from the passenger seat, according to court documents. The car was registered to Botbyl.

After 20 minutes, the pair quit for the night, and the FBI followed them to a Little Ceasar's pizza restaurant, then to a local multiplex. While the hackers took in a film, Lowe's network security team pored over log files and found the bugged program, which had collected only six credit card numbers.

FBI agents initially misidentified Timmins as the passenger in Botbyl's car, and both men were arrested on 10 November. Under questioning, Botbyl and Timmins pointed the finger at Salcedo.

All three men were slammed with a 16-count federal indictment in North Carolina, where Lowe's data center is based, charging them with computer intrusions, damage and fraud. Last June, Salcedo and Botbyl both entered guilty pleas in plea agreements with prosecutor Matthew Martens. Botbyl faces 41 to 51 months in prison under federal sentencing guidelines; Salcedo faces an unusually harsh 12 to 15 year prison term, based largely on a stipulation that the potential losses in the scheme exceeded $2.5 m. Both men are eligible for lower sentences if the government credits them with providing substantial assistance in prosecuting other suspects. No sentencing date has been set.

Salcedo is being held without bail, and could not be reached for comment.

In an interview Thursday, Botbyl, free on bail, unemployed, banned from computers and awaiting a certain prison term, expressed regret over the credit card scheme.

"I'm accepting responsibility for what I did, and the consequences" said Botbyl, who was a computer science student at the time of his arrest. "It's going to take a lot to start to get my reputation back. This has messed up my entire life for at least 10 or 15 years. It'll be at least 2010 before I can even touch a computer again."

Timmins' misdemeanor conviction will leave him better situated than Botbyl and Salcedo: his possible sentence ranges from probation, to a maximum of 12 months in custody. No sentencing date has been set.

Cyberlaw lawyer Jennifer Granick, director of Stanford Law School's Center for Internet and Society, agrees with the government that Timmins' is likely the first wardriving conviction. But she isn't convinced that he actually committed a crime.

"Using an open wireless access point isn't the same thing as using a computer illegally," says Granick. "Convictions for this type of thing are possible where it's part of a larger criminal case, but it shouldn't happen in the absence of some other criminal purpose, like stealing credit cards, or knowledge that the network is closed. Wardriving isn't criminal."

"All he did was check his email and try to browse the Internet," said Botbyl. "That's the only connectivity he had with their network. He didn't do anything at all... I think the only reason they charged him is because they arrested him."